Friday, July 17, 2009

Exchange 2007- Mapi session exceeded the maximum of 32 objects of type "session"

Two days back i faced a strange issue from one of the user that he is not able to open his outlook. Although he can open his OWA but whenever he open his outlook he is getting following error

“Unable to open your default e-mail folders. You must connect to your Microsoft Exchange Server computer with the current profile before you can synchronize your folders with the offline folder file”

After further investigation i found that there is an event logged in the application events of the mailbox server for the same user

Event Type:      Error
Event Source:      MSExchangeIS
Event Category:      General
Event ID:      9646
Date:            XXXXX
Time:           XXXXX
User:            N/A
Computer:      XXXXX
Description:
Mapi session "/o=firstorganisation=XXXX/cn=Recipients/cn=username" exceeded the maximum of 32 objects of type "session".

After researching i found following KB on the same issue

http://support.microsoft.com/kb/842022

As per this KB this issue may occur if the following conditions are true:

  • You have installed Microsoft Exchange Server 2003 Service Pack 1 (SP1) on the Exchange Server computer.
  • A program that is running on a client computer opens many MAPI sessions to the Exchange Server computer. The number of MAPI sessions is larger than the permitted limit.
  • You are using Microsoft Office Outlook 2007, and you add a large additional mailbox to your profile. For example, this issue may occur if the additional mailbox contains more than one thousand folders.

I am unable to found any of the above condition in my case. Also fixes mentioned in this article is not relevant to my case except the last registry change which i don't want to apply for one user.

Then i decided to view the connections on the mailbox server. I downloaded TCP view utility from sysinternals (one of the best sites for troubleshooting tools). After running TCP view i have seen lots of connections coming to mailbox server but the user name which i was searching was not visible in the list of connections, then i ran following command on exchange management shell for finding out the source IP of the user having problem

Get-logonstatistics username | FT ClientIPAddress

After viewing the IP Address i searched the IP address in the TCP View and was able to found lots of connections coming from the same IP, i killed these sessions by using Kill option in TCP view and then again tried to open the outlook and the issue gone !!!!  I have also informed the user to have a look on his PC for checking if there is any third party software or any other MAPI program which is causing this issue for having a permanent fix for this.

Friday, July 10, 2009

Storage in Exchange 2010: Webcast

Join the new webcast on exchange 2010 storage technology planned to be delivered on July 13 2009. Following is the registration link

http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032418920&EventCategory=4&culture=en-US&CountryCode=US

Exchange 2010 updates for Windows Mobile

During some researching i found an interesting video on Exchange 2010 mobile features and thought worth to blog. As per this video introduction

 

Adam Glick shows us the newest Exchange 2010 features for Windows Mobile 6.1/6.5 and explains the goals the team had for the client mobile experience. On his WM 6.5 device, he walks us through conversation view, ignore/move conversation, voice mail preview, voice to text, and get free/busy. Additionally, he tells us about the new allow/block/quarantine phone list and reporting built in to Exchange 2010.

 

Check out this video on following link

http://edge.technet.com/Media/Exchange-2010-updates-for-Windows-Mobile/

Monday, July 6, 2009

Publishing Exchange 2007 OWA via ISA 2006 Reverse Proxy

The best way to publish OWA is to publish via ISA reverse proxy deployment. In this blog i will discuss the process for publishing OWA via ISA reverse proxy. The process will be like this;

1. Generate CSR for Exchange 2007 CAS server(s).

I have discussed CSR generation in my previous blogs (http://khurramullah.wordpress.com/2009/07/01/exchange-2007-certificate-request-generator/ and http://khurramullah.wordpress.com/2009/07/01/command-for-generating-csr-for-exchange-servers/) if you have more than one CAS servers then you have to repeat the steps for all of them.

Make sure you have included all Subject Alternative  Names (SANs) in your certificate requests such as for webmail, auto discover services etc.

2. Submit this request to online Certificate Authorities such as VeriSign, Thwate or Entrust for purchasing UCC (Unified communication certificate). (Exchange 2007 only supports UCC type certificates, UCC=multiple SANs).

3. Now we have to import these certificates to Exchange CAS servers.( I have discussed these steps in my previous blog http://khurramullah.wordpress.com/2009/07/01/importing-certificates-to-exchange-servers/)

4. Now we have to deploy this certificate to ISA servers. In order to do this you have to first Export certificate from CAS server in .PFX format and then imports it to the ISA servers. Following is the process for doing this;

  1. Open Certificate MMC Snap in on the CAS server for local computer.
  2. Go to personal container and locate the certificate which you want to Deploy on ISA Server.
  3. Export this certificate with private key in .PFX format.
  4. Copy this certificate on ISA Server.
  5. Open Certificate MMC Snap in on the ISA server for local computer.
  6. Import the copied certificate.
  7. Repeat steps 4 to 7 if you have more than one ISA Servers.

5. Forms-based authentication can be configured on the Client Access server when not using ISA Server to publish Exchange Web client access. When ISA Server is being used to publish Exchange Web client access, forms-based authentication should only be configured on the ISA Server computer following are the steps for validating this;

  1. Start the Exchange Management Console.
  2. In the Exchange Management Console, expand Server Configuration, and then click Client Access.
  3. Select a Client Access server and then select owa (Default Web Site) on the Outlook Web Access page.OWA5
  4. In the action pane, click Properties under owa (Default Web Site).
  5. Select the Authentication page, and confirm that the following are selected: Use one or more of the following standard authentication methods and Integrated + Basic authentication (password is sent in clear text).clip_image001
  6. Click OK.
  7. Review the Microsoft Exchange Warning dialog box and click OK. clip_image001[6]
  8. Restart IIS by running following command: "iisreset /noforce".
  9. Perform this procedure for every Exchange Client Access server.

6. On the CAS server please make sure that “Forms based authentication” is not configured on the Exchange Client Access Activesync folder. By default it is configured for basic authentication.This folder is configured to Basic authentication by default.

7. On the enabling page for Outlook Anywhere, we will use Basic authentication (default).

OWA1

Note: The external host name used here should match the common name or FQDN used in the server certificate installed on the ISA Server computer

8. Now we need to publish a Rule for OWA on ISA but before doing this we need to configure web Listener for OWA which will be responsible for  listening OWA requests, following are the steps for configuring web listener for OWA

  1. In the console tree of ISA Server Management, click Firewall Policy:
  2. For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, and then click Firewall Policy.
  3. For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, and then click Firewall Policy.
  4. On the Toolbox tab, click Network Objects, click New, and then select Web Listener. Use the wizard to create the Web listener as outlined in the following table

Page

Field or property

Setting

Welcome

Web listener name

Type a name for the Web listener. For example, type Exchange Web Listener.

Client Connection Security

Select what type of connections this Web listener will establish with clients

Select Require SSL secured connections with clients.

Web Listener IP Addresses

Listen for incoming Web requests on these networks

ISA Server will compress content

Select the External and Internal networks.

Check box should be selected (default).

Click Select IP Addresses

External Network Listener IP Selection

Listen for requests on

Available IP Addresses

Select Specified IP addresses on the ISA Server computer in the selected network.

Select the correct IP address and click Add.

clip_image001

clip_image002  Notes

For ISA Server Enterprise Edition with an NLB-enabled array, you should select a virtual IP address.

Listener SSL Certificates

Select a certificate for each IP address, or specify a single certificate for this Web listener

Select Assign a certificate for each IP address.

Select the IP address you just selected and click Select Certificate.

Choose the certificate corresponding to the url mapped to this IP in the public DNS/NAT configuration

Example:

External 192.168.1.101 for abcmail; .102 for xyzmail and .103 for autodiscover

Internal: 192.168.12.101 for abcmail; .102 for xyzmail (autodiscover is resolved differently in intranet)

clip_image003

Authentication Settings

Select how clients will provide credentials to ISA Server

Select how ISA Server will validate client credentials

Select HTML Form Authentication for forms-based authentication and select the appropriate method that ISA Server will use to validate the client's credentials.

clip_image004

Single Sign On Settings

Enable SSO for Web sites published with this Web listener

SSO domain name

Leave the default setting to enable SSO.

To enable SSO between two published sites, such as abcmail.Contoso.com and autodiscover.Constoso.com, type .Contoso.com (with the dot)

clip_image005[1]

Completing the New Web Listener Wizard

Completing the New Web Listener Wizard

Review the selected settings and click Back to make changes or Finish to complete the wizard.

 

9.  Now after creating web Listener we need to publish a rule for OWA, following are the steps for this process;

  1. In the console tree of ISA Server Management, click Firewall Policy:
  2. For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, and then click Firewall Policy.
  3. On the Tasks tab, click Exchange Web Client Access Publishing rule.image
  4. Use the wizard to create the rule as outlined in the following tables. For a single Web server, use the table in New Exchange Publishing Rule wizard for a single Web site. If you are using a server farm, use the table in New Exchange Publishing Rule wizard for a server farm.

    Page

    Field or property

    Setting

    Welcome

    Exchange Publishing rule name

    Type a name for the rule. For example Constoso OWA Publishing Rule

    Select Services

    Exchange version

    Web client mail services

    Select Exchange Server 2007.

    Select the desired access method – begin with OWA, then Outlook Anywhere (Select to publish additional folders) and finally choose ActiveSync

    clip_image001[8]

    Publishing Type

    Select if this rule will publish a single Web site or external load balancer, a Web server farm, or multiple Web sites

    Select Publish a single Web site or load balancer.

    clip_image002[11]

    Server Connection Security

    Choose the type of connections ISA Server will establish with the published Web server or server farm

    Select Use SSL to connect to the published Web server or server farm.

    clip_image003[1]  Note

    A server certificate must be installed on the published Exchange Client Access server, and the root CA certificate of the CA that issued the server certificate on the Exchange Client Access server must be installed on the ISA Server computer.

    Internal Publishing Details

    Internal site name

    Type abc.contoso.com or whatever you like

    clip_image004  Important

    The internal site name must match the name of the server certificate that is installed on the internal Exchange Client Access server.

    Public Name Details

    Accept requests for

    Public name

    This domain name (type below)

    Type the domain name that you want ISA Server to accept the connection for. For example, type abc.contoso.com. This must match the FQDN of the certificate selected when creating the Web listener.

    clip_image005[3]

    Select Web Listener

    Web listener

    Select the Web listener you created previously, Exchange Web Listener

    Authentication Delegation

    Select the method used by ISA Server to authenticate to the published Web server

    For Outlook Web Access, select Basic Authentication.

    For Exchange ActiveSync, select Basic Authentication

    For Outlook Anywhere, select Basic Authentication

    clip_image006[6]

    User Sets

    This rule applies to requests from the following user sets

    Select the user set approved to access this rule. Replace the default All Authenticated users with All Users

    clip_image007[5]

    Pass the warning

    clip_image008[4]

    Completing the New Exchange Publishing Rule Wizard

    Completing the New Exchange Publishing Wizard.

    Review the selected settings, click Back to make changes or Finish to complete the wizard.

    Note: When publishing Outlook Web Access, after you click Finish, review the Remaining Exchange Publishing Tasks dialog box, and then click OK.

  5. In the path tab (properties of the OWA rule), add the path “/” in order to be able to access OWA without typing /owa at the end of the url

 

Saturday, July 4, 2009

Microsoft Antigen for Exchange

If you wan to try Microsoft Antigen for Exchange before purchasing it then here is your link

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=866b63bf-6207-4197-9c5d-511b7212e40c

You can download this trial version and test it for free.

TechNet for Exchange 2010

If you have installed exchange 2010 and wants help on some features or stuck in some issue and wants to fix it, then don't worry there is a separate TechNet website dedicated for this purpose and contains plethora of information on exchange 2010, check it out

http://technet.microsoft.com/en-us/exchange/2010/default.aspx

Exchange 2010 Beta for Download

Wants to try Exchange 2010 ? why wait, now Microsoft has published exchange 2010 beta on their website for downloading and using for 360 days, Following is the link;

http://technet.microsoft.com/en-us/evalcenter/dd185495.aspx

Note: Exchange 2010 Beta can only run on 64 bit machines.

Exchange 2010 Virtual Lab

Good news for all of those who wants to see and experience what is exchange 2010 look like. Below is the link of one of the virtual labs in exchange 2010 series

Exchange Server 2010 (Beta) Setup and Deployment Virtual Lab

http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032419057&EventCategory=3&culture=en-US&CountryCode=US

Wednesday, July 1, 2009

Importing Certificates to Exchange 2007 servers

In my previous blogs (http://khurramullah.wordpress.com/2009/07/01/command-for-generating-csr-for-exchange-servers/ and http://khurramullah.wordpress.com/2009/07/01/exchange-2007-certificate-request-generator/) i have discussed how we can generate CSR for different exchange roles. Here i will discuss how we can import certificates to different exchange roles. Following is the command for importing certificates;

Import-ExchangeCertificate -Path “c:\path\generated SAN certif_name.cer” –friendlyname “<Certificate Friendly Name>”

After running this command successfully you should be seeing the thumbprint of the new certificate. Copy the full thumbprint value because you will required this in the next commands.

Now you have to enable your certificate for specific services for example for SMTP and Web services.

For enabling CAS server certificates run this command:

Get-exchangecertificate <Thumbprint>| enable-exchangecertificate -services "IIS”

 

For enabling Edge server certificates run this command

Get-exchangecertificate <Thumbprint>| enable-exchangecertificate -services "SMTP”

After running above command run Get-exchangecertificate again for verifying if services are enabled or not.

You can also combine the above 2 commands like this;

Import-ExchangeCertificate -Path “c:\path\generated SAN certif_name.cer” –friendlyname “<Certificate Friendly Name>” | enable-exchangecertificate -services "IIS”

Following are the possible values for services parameter;

  • IMAP
  • POP
  • UM
  • IIS
  • SMTP
  • None

Do not import exchange certificate by normal certificate importing methods (import from certificate MMC Snap in) otherwise certificate will not going to work. Also make sure you have Trusted root CA and Intermediate CA certificates installed in their relevant stores otherwise certificate will have issues.

In case you want to import or apply the same certificate to another Edge or CAS server then you need to perform following addition steps;

1. Open Certificate MMC Snap in on the server for local computer.

2. Go to personal container and locate the certificate which you had just imported.

3. Export this certificate with private key.

5. Copy this certificate on the server where you want to configure this certificate.

6. Run following command on the second server which you want to configure from the same certificate;

Import-ExchangeCertificate -Path c:\path\<certificate file>.pfx –Password:(Get-Credential).password

The Get-Credential cmdlet in the above command pops up a standard username\password dialog box. This is little bit confusing because we don't need a username to get to the keys, just put whatever you want for the username, but put the password that you used when you ran the Export certificate wizard the Certificate Manager snap-in in MMC.

7. Run command Get-ExchangeCertificate to get the thumbprint of this certificate.

8. Run command EnableCertificate –thumbprint <copy the thumbprint> -services “IIS”

9. After running above command run Get-exchangecertificate again for verifying if services are enabled or not.

Command for Generating CSR for Exchange servers

During Edge server configuration, you are required to bind a certificate to edge server for securing edge server communication. For this you have to run a powershell command which will generate a required CSR for you ( I have discussed a tool for CSR generation in my previous blog http://khurramullah.wordpress.com/2009/07/01/exchange-2007-certificate-request-generator/). Here in this blog i will discuss the powershell command for CSR generation. A typical command will be like this

New-ExchangeCertificate -GenerateRequest -Path c:\Server1_Contoso_com.csr -KeySize 1024 -SubjectName "c=SG, s=, l=Singapore, o=Fictious Enterprise, ou=Information Technology, cn=Server1.Contoso.com"  -PrivateKeyExportable $True

 

There are some important parameters in this command which i will discuss below

Path: The path where the CSR file will save.

KeySize: possible values are 1024, 2048.

Subject Name: Subject name consists of different parameters which are;

c=Country, c=State, I=City, o= organization, ou=organization unit or department, cn=common name (for example the public name of your website)

 

PrivateKeyExportable: This will mark the key as exportable so you can backup it and deploy it to another server if required.

Exchange 2007 Certificate Request Generator

Generating CSR for any exchange 2007 role is little bit tricky and required a quite long Powershell command to run. For making it lot simpler a company named as digicert has published a free tool on internet which is accepting different parameters and provide us a powershell command which we can run and generate CSR for any server role, Following is the link of this tool;

DigiCert's Exchange 2007 CSR generation Tool

https://www.digicert.com/easy-csr/exchange2007.htm